- Introduction
Maclocking assign mac address to port so unauthorized devices cannot send frames through this port.
Maclocking is also a great tool to prevent against macflooding attacks and also in some case mac spoofing attacks.
- Maclock configuration – steps:
(su)->set maclock trap ge.1.1-48 enable
Enable trap in case of violation.
set maclock agefirstarrival ge.1.1-48 enable
Enable aging for mac addresses(default is 300 secs).
set maclock firstarrival ge.1.1-48 100
Set limit dynamic mac addresses per port.
set maclock static ge.1.1-48 1
Set max static mac addresses per port.In most cases “1” is sufficient,e.g.for servers but you can adjust it in accordance to your needs.
set maclock enable ge.1.1-48
Enable maclock feature on ports. On port where other switches are connected the best option is not to enable it.
set maclock enable
Enable maclock globally.From this moment your mac locking started to work.
- Usefull options
(su)->set maclock move ge.1.48
Change dynamic addresses to static on particular port.
set maclock 00:00:00:00:00:01 ge.1.48 {create/disable/enable}
Assign mac address to port with following action:
create – create and enable MAC locking for this entry
disable – disable MAC locking for this entry
enable – enable MAC locking for this entry(mac has to exist)
- Monitoring maclocking
(su)->show maclock stations static
Show statically assigned mac addresses.
(su)->show maclock stations firstarrival
Show dynamically assigned mac addresses.
(su)->show maclock stations
Show all assigned mac addresses.
(su)->show maclock
check settings
dzbanek 2011-12-13